According to Dr. Gary McGraw’s ground breaking work on software security, up to half of security mistakes are made in design rather than in coding. For the last 10 years we’ve been told that we are supposed to do this through threat modeling. What else can we do to include security in application design?